From 5ab9f9ffb09d7d46da421f16ccf1c5bb7e0b7811 Mon Sep 17 00:00:00 2001
From: Bastien Grasnick <bastien.grasnick@deutschebahn.com>
Date: Wed, 1 Nov 2023 14:39:58 +0100
Subject: [PATCH] Feat: 771 remove unnecessary security concerns (#926)

* feat: reduce privileges granted through SCC for OpenShift

Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com>

* feat: set mounted volumes as read only as much as possible

Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com>

* feat: set pod hostPID to true to avoid collisions/unwanted behavior in host PID namespace

Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com>

* feat: remove unnecessary mount of /sys/kernel/debug

Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com>

---------

Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com>
---
 manifests/config/exporter/exporter.yaml              | 3 +++
 manifests/config/exporter/openshift_scc.yaml         | 6 +++---
 manifests/config/exporter/patch/patch-openshift.yaml | 9 ++-------
 3 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/manifests/config/exporter/exporter.yaml b/manifests/config/exporter/exporter.yaml
index 96a2b31abd..1dc9da8031 100644
--- a/manifests/config/exporter/exporter.yaml
+++ b/manifests/config/exporter/exporter.yaml
@@ -55,6 +55,7 @@ spec:
         key: node-role.kubernetes.io/master
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: kepler-sa
+      hostPID: true
       containers:
       - name: kepler-exporter
         image: kepler:latest
@@ -86,8 +87,10 @@ spec:
         volumeMounts:
         - mountPath: /lib/modules
           name: lib-modules
+          readOnly: true
         - mountPath: /sys
           name: tracing
+          readOnly: true
         - mountPath: /proc
           name: proc
         - mountPath: /var/run
diff --git a/manifests/config/exporter/openshift_scc.yaml b/manifests/config/exporter/openshift_scc.yaml
index fb9820ce82..7dd803f595 100644
--- a/manifests/config/exporter/openshift_scc.yaml
+++ b/manifests/config/exporter/openshift_scc.yaml
@@ -6,9 +6,9 @@ metadata:
 # To allow running privilegedContainers
 allowPrivilegedContainer: true
 allowHostDirVolumePlugin: true
-allowHostNetwork: true
-allowHostPorts: true
-allowHostIPC: true
+allowHostNetwork: false
+allowHostPorts: false
+allowHostIPC: false
 allowHostPID: true
 readOnlyRootFilesystem: true
 defaultAddCapabilities:
diff --git a/manifests/config/exporter/patch/patch-openshift.yaml b/manifests/config/exporter/patch/patch-openshift.yaml
index 79a5c72fa0..04b9f8a732 100644
--- a/manifests/config/exporter/patch/patch-openshift.yaml
+++ b/manifests/config/exporter/patch/patch-openshift.yaml
@@ -19,15 +19,10 @@ spec:
         volumeMounts:
         - name: kernel-src
           mountPath: /usr/src/kernels
-        - name: kernel-debug
-          mountPath: /sys/kernel/debug
+          readOnly: true
         securityContext:
           privileged: true
-      volumes:      
-      - name: kernel-debug
-        hostPath:
-          path: /sys/kernel/debug
-          type: Directory
+      volumes:
       - name: kernel-src
         hostPath:
           path: /usr/src/kernels